Obfuscation and Weak Multilinear Maps

Similar documents
Cryptanalysis of branching program obfuscators

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13

Graded Encoding Schemes from Obfuscation. Interactively Secure Groups from Obfuscation

Post-Zeroizing Obfuscation: The case of Evasive Circuits

On Kilian s Randomization of Multilinear Map Encodings

Zeroizing Attacks on Indistinguishability Obfuscation over CLT13

Secure Obfuscation in a Weak Multilinear Map Model

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Post-Zeroizing Obfuscation: The case of Evasive Circuits

BEYOND POST QUANTUM CRYPTOGRAPHY

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption

A Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University

Protecting obfuscation against arithmetic attacks

Immunizing Multilinear Maps Against Zeroizing Attacks

More Annihilation Attacks

Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1

Lecture 18: Message Authentication Codes & Digital Signa

Cryptanalyses of Candidate Branching Program Obfuscators

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

Lecture 26. Daniel Apon

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

A Simple Obfuscation Scheme for Pattern-Matching with Wildcards

From Minicrypt to Obfustopia via Private-Key Functional Encryption

Quantum Oracle Classification

Multilinear Maps from Obfuscation

Statistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map

A Comment on Gu Map-1

Lecture 7: CPA Security, MACs, OWFs

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps

From FE Combiners to Secure MPC and Back

Graded Encoding Schemes from Obfuscation

Perfect Secure Computation in Two Rounds

Where do pseudo-random generators come from?

Semantic Security and Indistinguishability in the Quantum World

Lattice-Based Non-Interactive Arugment Systems

Private Puncturable PRFs from Standard Lattice Assumptions

Fully Homomorphic Encryption and Bootstrapping

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 04: Secret Sharing Schemes (2) Secret Sharing

How to Generate and use Universal Samplers

Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps

an information-theoretic model for adaptive side-channel attacks

Lecture 2: Program Obfuscation - II April 1, 2009

Secure Computation. Unconditionally Secure Multi- Party Computation

Obfuscation without Multilinear Maps

Adaptively Secure Constrained Pseudorandom Functions

Quantum Differential and Linear Cryptanalysis

Linear Multi-Prover Interactive Proofs

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Evaluating 2-DNF Formulas on Ciphertexts

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

CS 355: TOPICS IN CRYPTOGRAPHY

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 26: Arthur-Merlin Games

Graded Encoding Schemes from Obfuscation

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

Homework 7 Solutions

from Standard Lattice Assumptions

Advanced Cryptography Quantum Algorithms Christophe Petit

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Obfuscation for Evasive Functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation

Computational Number Theory. Adam O Neill Based on

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

1 Reductions and Expressiveness

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Lecture Notes on Secret Sharing

One-Way Functions and (Im)perfect Obfuscation

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2

Lecture 10 - MAC s continued, hash & MAC

Constraining Pseudorandom Functions Privately

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Distribution Design. Ariel Gabizon. Amos Beimel. Eyal Kushilevitz.

Cryptanalysis of GGH15 Multilinear Maps

Modern Cryptography Lecture 4

On the Complexity of Compressing Obfuscation

Cutting-Edge Cryptography Through the Lens of Secret Sharing

Secure Multiparty Computation from Graph Colouring

Dual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits

Transcription:

Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan

Obfuscation [BGIRSVY 01,GGHRSW 13] Compiler: scrambles program, hiding implementation Industry accepted security notion: indist. Obfuscation P 1 (x) = P 2 (x) (x) io(p 1 ) c io(p 2 ) Crypto complete : io Most Crypto [GGHRSW 13,SW 13, BZ 13, BST 13, GGHR 13, BP 14, HJKSWZ 14, CLTV 14, ]

Multilinear Maps (a.k.a. graded encodings) [BS 03,GGH 13,CLT 13,GGH 15] Main tool for all constructions of obfuscation secret a F, i [k] Levels 1,,k, Field/Ring F Enc [a] i [a] i + [b] i [a+b] i public [a] i [b] j [ab] i+j [a] k IsZero Yes/No

Multilinear Maps (a.k.a. graded encodings) [BS 03,GGH 13,CLT 13,GGH 15] k levels: compute arbitrary degree k polynomials Asymmetric mmaps: additional restrictions E.g. multilinear polynomials

Obfuscation From Multilinear Maps Obfuscate(P): Enc Eval(x): x [p x ] k IsZero P(x) = 1 p x = 0

Applications of Multilinear Maps ABE PKFE SKFE io NIKE WE BE

Zeroizing Attacks on MMaps io NIKE PKFE ABE BE WE SKFE

Zeroizing Attacks on MMaps (Note: apps still possible using obfuscation)

Central Questions Q1: Is obfuscation secure? Q2: If so, how to show it?

This Work: Focus on GGH 13 Mmaps

Background

High- level description GGH13 Level i encoding of x: short x + g s z i (mod q)

High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) x 1 +gs 1 x 2 +gs 2 + = (x 1+x 2 )+g(s 1 +s 2 ) z i z i z i

High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add x 1 +gs 1 x 2 +gs 2. = (x 1x 2 )+g(s 1 x 2 +s 2 x 1 +gs 1 s 2 ) z i z j z i+j

High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add Test for zero at top level k Public parameter p zt = h zk g not too big p zt gs z k = hs not too big p zt x+gs z k = hx big g +hs

High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add Test for zero at top level k Notes: z must be secret (else can go down levels) g must be secret ([GGH 13] show attack otherwise)

Encodings of Zero A Necessary Evil Required for (Most) Applications Re- randomization Needed for most (direct) applications Needed to use any simple assumption on mmaps Add random subset of low- level zeros Successful zero test top level zero

Encodings of Zero A Necessary Evil Required for (Most) Applications Two low- level zeros: e 1 = g s 1 /z i, e 2 = g s 2 /z k-i Multiple of g p zt e 1 e 2 mod q = hgs 1 s 2 (over Z) Dangerous For Security

Encodings of Zero A Necessary Evil Required for (Most) Applications Zeroizing attacks: GGH 13: Source group assumptions (e.g. DLin, Subgroup decision) are false CGHLMMRST 15: Immunizations don t work HJ 16: MDDH is false, multiparty NIKE broken Probably other assumptions broken too (MDHE, etc) Dangerous For Security

Encodings of Zero A Necessary Evil Required for (Most) Applications Dangerous For Security

What about Obf/WE/SKFE? Good News: No re- randomization needed in application no low- level zeros (explicit or implicit) Bad News: Top level zeros may still be generated during use Re- rand still needed for simple assumptions

Central Questions (Restated) Q1: Can top- level zeros be used to attack io? Q2: How to argue security against zeroizing attacks?

Q1: Affirmative! Thm* [MSZ 16]: The branching program obfuscators in [BGKPS 14, PST 14, AGIS 14, BMSZ 16] over GGH 13 do not satisfy io *Small heuristic component

(Single input) Branching Programs A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 6,0 A 7,0 A 8,0 A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A 7,1 8,1 2 4 2 1 3 4 2 5 x = 11001: IMP x ( {A i,b } ) = A 1,1 A 2,0 A 3,1 A 4,1 A 5,0 A 6,0 A A 7,1 8,1 If IMP x = 0, output 1, otherwise output 0

[BMSZ 16] Obfuscator Building on [GGHRSW 13,BR 14,BGKPS 14,AGIS 14, ] α 1,0 R 2 R 2-1 A 1,0 α 2,0 A 2,0 R 3 α 3,0 R 3-1 A 3,0 R 4 α t,0 R t -1 A t,0 α 1,1 A 1,1 R α 2 2,1 R -1 2 A 2,1 R α 3 3,1 R -1 3 A 3,1 R α 4 t,1 R -1 t A t,1 asymmetric mmap

[BMSZ 16] Over GGH 13 Randomized Branching Program Encoding randomness B i,b = α i,b R -1 i A i,b R i+1 S i,b Evaluation: Obfuscation encodings B i,b + z i,b g S i,b C i,b = mod q IMP x ( ) T p x = zt C i,b test if not too big mod q

Attack: Annihilating Polynomials T x = p zt h g IMP x ( C i,b ) mod q B i,b S i,b = IMP x ( + g ) mod q h g B i,b = IMP x ( ) + D x ( α i,b, S i,b, R i ) + g E x ( α i,b, S i,b, R i ) mod q

Attack: Annihilating Polynomials Suppose P(x) = 1 IMP x ( B i,b ) = 0 T x h = IMP x ( B i,b ) + D x ( α i,b g, S i,b, R i ) + g E x (,, ) α i,b S i,b R i mod q not too big, so holds over Z

Attack: Annihilating Polynomials Suppose P(x) = 1 T x = D x ( α i,b, S i,b, R i ) + E x ( α i,b, S i,b, R i ) g Efficiency: Poly- many free vars Exp- many inputs: Pick larger poly set of D x Algebraic dependence: poly Q: Q(D x1, D x2, ) = 0

Attack: Annihilating Polynomials Algebraic dependence: poly Q: Q(D x1, D x2, ) = 0 Annihilating polynomial Q(T x1, T x2, ) = Q(D x1 +ge x1, D x2 +ge x2, ) = Q(D x1, D x2, ) + gq + g 2 Q + = gq + g 2 Q + Multiple of g

Attack: Annihilating Polynomials Goal: find Q that annihilates P 1, but not P 2 Distinguishing Attack* Extends to any purely algebraic obfuscator Problem: in general, annihilation is hard Thm ([Kay 09]): Unless PH collapses, there are dependent polys for which an annihilating polynomial requires super- polynomial sized circuits Question: Can annihilating polys be found for particular obfuscators/programs? * Additional work needed to test for multiple of g

Attack: Annihilating Polynomials Consider single- input setting (used to prove io) Suppose trivial branching program: A i,0 =A i,1 =A i Explicit annihilating polynomial for [BMSZ 16]: q = (D 000 D 111 ) 2 + (D 001 D 110 ) 2 + (D 010 D 101 ) 2 + (D 100 D 011 ) 2-2D 000 D 111 D 001 D 110 2D 000 D 111 D 010 D 101 2D 000 D 111 D 100 D 011-2D 001 D 110 D 010 D 101 2D 001 D 110 D 100 D 011 2D 010 D 101 D 100 D 011 + 4D 000 D 011 D 101 D 111 + 4D 111 D 001 D 010 D 100 Computed by reducing problem to finite size, then brute- force search

Attack: Annihilating Polynomials For dual input: First, reduce problem to finite size Brute- force annihilating poly in constant time Haven t found it yet, but still gives poly- time attack Other obfuscators: [BR 14,BGKPS 14, PST 14, AGIS 14]: similar analysis Also attack ORE (SKFE) [BLRSZZ 15] over GGH 13

Now What? Goal: Argue security of other schemes Problem: Cannot use simple assumptions Solution: Argue security in abstract attack models

Restricted Black Box Fields F = Field, P = class of polynomials on n variables p P IsZero( p(a 1, a 2,, a n ) ) a 1, a 2,, a n F Generic Groups*: P = { Linear functions } Black Box Fields*: P = { Polys with small algebraic circuits} Symmetrix multilinear maps*: P = { Degree k polynomials} Asymmetric multilinear maps*: P = { More complicated restrictions} * Often need greater functionality requirements for protocols. This model suffices for our discussion

Obfuscation in Restricted BBFs ( model used by [BR 14,BGKPS 14,AGIS 14,Z 15,AB 15,BMSZ 16] ) Obfuscate(C): p x P BBF with restricted polynomial class P Eval(x): IsZero( p(a 1, a 2,, a n ) ) a 1, a 2,, a n ß D C If IsZero gives True, output 1 If IsZero gives False, output 0 Our Attack: Model is false for GGH 13

A Conservative Model [BMSZ 16] BBF with restricted polynomial class P p P a 1, a 2,, a n ß D C If IsZero( p(a 1, a 2,, a n ) ), ADVERSARY WINS

Obfuscation for evasive functions [BMSZ 16] Honest executions always give non- zero Thm([BMSZ 16]): Only way for level respecting adversary to get zero is through honest program executions Impossible to find zeros anywhere for evasive funcs Compare to prior abstract model theorems: Thm([BR 14, BGKPS 14, ]): For level respecting adversary, can guess output of IsZero just by knowing P(x) Doesn t say if/when finding a zero is possible

A Conservative Model [BMSZ 16] BBF with restricted polynomial class P p P a 1, a 2,, a n ß D C If IsZero( p(a 1, a 2,, a n ) ), ADVERSARY WINS Model useless in non- evasive settings, e.g. io, SKFE Need model that allows for zeros to occur

Characterizing Attacks All Known Classical Attacks Compute polynomials obeying level restrictions Several top level zero encodings Attack

Characterizing Attacks All Known Classical Attacks Compute polynomials obeying level restrictions Several top level zero encodings Polynomial in the zeros Multiple of g Attack

Refined Abstract Model for Mmap attacks p P a 1, a 2,, a n F s 1, s 2,, s n ß $ F indeterminant Write p(a 1 +gs 1,, a n +gs n ) = c + dg + If c 0, output False If c = 0, output True, d * Also need to assume degree << F Efficient polys* q Q Unrestricted BBF d 1 d 2 d 3 If q(d 1, d 2, ) = 0, adversary wins

Refined Abstract Model for Mmap attacks Seems to capture intuition behind attacks Proof in refined model Heuristic evidence of security against current attacks But keep in mind that: Attack in refined model Not trivially Attack on actual protocol

Blocking Attacks [GMMSSZ 16] Notably absent from attacked schemes: [GGHRSW 13] A i,b : A i,b D i,b Random diagonal converts even trivial branching programs into non- trivial ones size > multilinearity

Blocking Attacks [GMMSSZ 16] Our fix: append random block matrix A i,b : A i,b E i,b Potentially as small as 2 2

Blocking Attacks [GMMSSZ 16] Let BP E be branching program defined by E matrices Let E x be evaluation of BP E on input x Thm: If polynomial Q annihilates {D x }*, then it annihilates {E x } as well Let BP F be any BP, F x evaluation of BP F Thm: If polynomial Q annihilates {E x }*, then it annihilates {F x } as well * = with noticeable probability

Example Proof Sketch Thm: If polynomial Q annihilates {E x }*, then it annihilates {F x } as well Let E i,b = F i,b + r E i,b random E x = F x + r F x + r 2 F x + Q( {E x } ) = Q( {F x } ) + r Q + r 2 Q + By Schwartz- Zippel, if Pr[Q = 0] = non-negl, Then Q must be identically 0 Q( {F x } ) = 0

Branching Program Unannihilateability Assumption: For any efficient polynomial Q*, there is a branching program not annihilated by Q Easy fact: PRFs in NC 1 give unannihilateable branching programs Corollary: Assuming BPUA (or NC 1 PRFs), our obfuscator is secure in the weak mmap model for [GGH 13] * of not too high degree

Future Directions Substantiate BPUA (P NP, general OWF, etc) Attack GGH 13 without annihilating polys Extend to obfuscation for circuits Mostly solved: [DGGMM 16] assuming NC 1 PRFs Extend attacks to CLT 13, GGH 15 Partial progress: [CLLT 16] for single- input io over CLT 13 Useful abstract attack model for CLT 13, GGH 15 Thanks!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback